Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.
We Hold These Truths To Be Self-Evident
The U.S. Declaration of Independence includes a List of Grievances against King George of England. Apparently, putting together the list got the Continental Congress so riled up that they decided to make themselves a whole new country. But I’m not expecting anything that dramatic out of the PCI SSC Community Meeting. Although there are “pseudo-secessionist” groups, such as the Merchant Advisory Group, most of the following comments (which are taken from the anonymous interviews that are the cornerstone of our research) are meant to be constructive rather than revolutionary. What We Have Here Is A Failure To Communicate
“There is little guidance from the PCI SSC or the card brands or the banks when it comes to interpretation of key standards.” A related grievance is that when guidance is given, it’s usually specific to a given situation via a private communication to a QSA. Not only are merchants and service providers unhappy about this, so too are the QSAs, who complain that it takes months to get any kind of meaningful ruling from the SSC or the card brands or the compliance officer of an acquiring bank. The real issue here is that “guidance = liability,” which necessitates a detailed review process for all “official” guidance, vaguely worded E-mails and pushing guidance back onto the QSAs, who pretty much get blamed for everything (or so they tell me). The Standards Are Designed For A Bygone Era Of Technology
“PCI compliance has effectively limited our deployment of virtualization, cloud computing SaaS (software as a service) and other technologies designed to help us maximize the value of our IT investment.” Even though there are committees among the SSC community members looking at some of these issues, the task is tied to the process of adapting the “letter of the law” in the standards and designing a way of validating compliance with a set of standards that make “data ownership assumptions” that are fundamentally inconsistent with the SaaS and resource virtualization models. The Standards Are Not Standard
“How can the card brands call what they are doing a standard, when they don’t standardize the enforcement process?” Many merchants and service providers complain that PCI DSS is functioning more like another ‘layer’ of requirements than an industry standard. This grievance is more common since the MasterCard “schism” that forces Level 1 and Level 2 merchants to use a QSA. But it’s been around since the beginning. Having the PCI SSC represent a bunch of guidelines that they call standards while each brand has whole separate lists of things they demand from merchants, service providers, banks and processors is more than a semantic issue. Retailers Are Now More Secure Than Banks
“Why is it that banks say they don’t think they have to comply with PCI, when their debit cards are co-branded and carry the same risks of theft and even more risks to consumers.” I heard this grievance from a QSA who was frustrated after trying to educate issuing banks about PCI DSS. He found that the banks weren’t receiving the same warning letters and mandates, and that many bankers feel that PCI DSS is only a “merchant requirement,” when that is clearly not what the standards say. Retailers, for their part, argue that their security spending is now disproportionate to the level of risk they face relative to banks. Compliance Gamesmanship Works Better Than Risk Management
“With more than 230 controls that have to be met 100 percent of the time, there’s no way we’d be compliant if we were strict about this, so we’ve learned how to play the PCI game.” This grievance is focused on both the granularity of the controls and the enforcement process, which many merchants see as creating a nearly impossible task--continuous compliance. I’ve talked with many merchants who have decided that, until the PCI SSC shifts to a risk-based control enforcement process, they are going to just play the game. This game consists of hiring low-end QSAs, giving themselves passing grades with insufficient justification and treating PCI as an IT project rather than as an enterprise data security mandate. We Don’t Need No Stinkin’ Credit Card Data
“Our goal is to completely eliminate all instances of credit card data from all our systems. Period.” The grievance, of course, is about being “forced” to retain credit card data in the first place. But this has evolved over time. A year ago, only smaller merchants had this as a goal. Now, it’s common among merchants across the board--retailers, restaurants, hospitals, hotels, you name it. Some are looking at tokenization and some at end-to-end encryption while others are looking to outsource their payment processing entirely. The Bottom Line
OK, so any column about “grievances” is not going to have a positive, uplifting message. I also left out several technical grievances related to specific controls, because that’s not the StorefrontBacktalk readership, I figure. But, if you’d like to discuss your own list of grievances, just visit the PCI Knowledge Base and fill out our “Contact us” form, or just send me an E-Mail at [email protected].
Depending on your perspective, the upcoming Community Meeting of the PCI SSC members is a “chance to provide feedback” or a place to “share ideas” regarding the standards or “Whinefest 2009.” I’m taking a perspective that dates back to the founding fathers and preparing a “List of Grievances.”
The U.S. Declaration of Independence includes a List of Grievances against King George of England. Apparently, putting together the list got the Continental Congress so riled up that they decided to make themselves a whole new country. But I’m not expecting anything that dramatic out of the PCI SSC Community Meeting. Although there are “pseudo-secessionist” groups, such as the Merchant Advisory Group, most of the following comments (which are taken from the anonymous interviews that are the cornerstone of our research) are meant to be constructive rather than revolutionary.
(Editor's Note: Would strongly suggest that you peek at the comments for this story. At times, that debate is almost--forgive me, David--more interesting than the column.)
“There is little guidance from the PCI SSC or the card brands or the banks when it comes to interpretation of key standards.” A related grievance is that when guidance is given, it’s usually specific to a given situation via a private communication to a QSA. Not only are merchants and service providers unhappy about this, so too are the QSAs, who complain that it takes months to get any kind of meaningful ruling from the SSC or the card brands or the compliance officer of an acquiring bank. The real issue here is that “guidance = liability,” which necessitates a detailed review process for all “official” guidance, vaguely worded E-mails and pushing guidance back onto the QSAs, who pretty much get blamed for everything (or so they tell me).
“PCI compliance has effectively limited our deployment of virtualization, cloud computing SaaS (software as a service) and other technologies designed to help us maximize the value of our IT investment.” Even though there are committees among the SSC community members looking at some of these issues, the task is tied to the process of adapting the “letter of the law” in the standards and designing a way of validating compliance with a set of standards that make “data ownership assumptions” that are fundamentally inconsistent with the SaaS and resource virtualization models.
“How can the card brands call what they are doing a standard, when they don’t standardize the enforcement process?” Many merchants and service providers complain that PCI DSS is functioning more like another ‘layer’ of requirements than an industry standard. This grievance is more common since the MasterCard “schism” that forces Level 1 and Level 2 merchants to use a QSA. But it’s been around since the beginning. Having the PCI SSC represent a bunch of guidelines that they call standards while each brand has whole separate lists of things they demand from merchants, service providers, banks and processors is more than a semantic issue.
“Why is it that banks say they don’t think they have to comply with PCI, when their debit cards are co-branded and carry the same risks of theft and even more risks to consumers.” I heard this grievance from a QSA who was frustrated after trying to educate issuing banks about PCI DSS. He found that the banks weren’t receiving the same warning letters and mandates, and that many bankers feel that PCI DSS is only a “merchant requirement,” when that is clearly not what the standards say. Retailers, for their part, argue that their security spending is now disproportionate to the level of risk they face relative to banks.
“With more than 230 controls that have to be met 100 percent of the time, there’s no way we’d be compliant if we were strict about this, so we’ve learned how to play the PCI game.” This grievance is focused on both the granularity of the controls and the enforcement process, which many merchants see as creating a nearly impossible task--continuous compliance. I’ve talked with many merchants who have decided that, until the PCI SSC shifts to a risk-based control enforcement process, they are going to just play the game. This game consists of hiring low-end QSAs, giving themselves passing grades with insufficient justification and treating PCI as an IT project rather than as an enterprise data security mandate.
“Our goal is to completely eliminate all instances of credit card data from all our systems. Period.” The grievance, of course, is about being “forced” to retain credit card data in the first place. But this has evolved over time. A year ago, only smaller merchants had this as a goal. Now, it’s common among merchants across the board--retailers, restaurants, hospitals, hotels, you name it. Some are looking at tokenization and some at end-to-end encryption while others are looking to outsource their payment processing entirely.
This choice is a senior executive decision, and this issue is an indicator that the company sees PCI DSS for the business issue that it is. But the interesting aspect is that the decision is usually the result of PCI compliance becoming so costly and annoying rather than the outcome of some close collaboration between the merchant’s CFO and their merchant bank. It’s an example of how PCI has driven a wedge (further) into the merchant/banker relationship instead of becoming a “common problem” they could work together to solve.
OK, so any column about “grievances” is not going to have a positive, uplifting message. I also left out several technical grievances related to specific controls, because that’s not the StorefrontBacktalk readership, I figure. But, if you’d like to discuss your own list of grievances, just visit the PCI Knowledge Base and fill out our “Contact us” form, or just send me an E-Mail at [email protected].